CN109547208B - Online distribution method and system for master key of financial electronic equipment - Google Patents

Online distribution method and system for master key of financial electronic equipment Download PDF

Info

Publication number
CN109547208B
CN109547208B CN201811364197.1A CN201811364197A CN109547208B CN 109547208 B CN109547208 B CN 109547208B CN 201811364197 A CN201811364197 A CN 201811364197A CN 109547208 B CN109547208 B CN 109547208B
Authority
CN
China
Prior art keywords
key
financial
electronic equipment
public
master key
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811364197.1A
Other languages
Chinese (zh)
Other versions
CN109547208A (en
Inventor
刘玮
陈凯
徐平
王浩
杜永刚
李剑锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bank of Communications Co Ltd
Original Assignee
Bank of Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bank of Communications Co Ltd filed Critical Bank of Communications Co Ltd
Priority to CN201811364197.1A priority Critical patent/CN109547208B/en
Publication of CN109547208A publication Critical patent/CN109547208A/en
Application granted granted Critical
Publication of CN109547208B publication Critical patent/CN109547208B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Abstract

The invention provides a financial electronic equipment master key online distribution method and a system, comprising the following steps: the financial institution transmits the first public key to the manufacturer; the manufacturer transmits the first signature information and the second public key obtained according to the second private key and the first public key to the financial institution; the electronic equipment transmits the third public key to the manufacturer and the financial institution; the manufacturer transmits second signature information and a second public key obtained according to the second private key and the third public key to the electronic equipment and the financial institution; the financial institution encrypts a master key generated after the verification is passed by using a third public key to obtain third signature information obtained according to the first private key and the master key ciphertext to obtain a master key ciphertext, a first public key, first signature information and a first master key check value and transmits the master key ciphertext, the first public key, the first signature information and the first master key check value to the electronic equipment; and after the electronic equipment checks the signature information, the electronic equipment obtains a master key by using the third private key, calculates to obtain a second master key check value, compares the second master key check value with the first master key check value, and stores the master key when the second master key check value is consistent with the first master key check value. The scheme improves the security and efficiency of the transmission of the master key between the electronic equipment and the financial institution.

Description

Online distribution method and system for master key of financial electronic equipment
Technical Field
The invention relates to the technical field of financial key distribution, in particular to a financial electronic equipment master key online distribution method and system.
Background
The asymmetric encryption algorithm is a key encryption algorithm, and the common asymmetric encryption algorithms are mainly an international algorithm RSA and a national cryptographic algorithm SM 2. Asymmetric encryption algorithms require two keys: public keys (public keys for short) and private keys (private keys for short). The public key is paired with the private key. If the public key is used for encryption, only the corresponding private key can be used for decryption; if encrypted with a private key, only the corresponding public key can be decrypted.
The traditional distribution scheme of the master key of the financial electronic equipment is carried out in an off-line mode. The main flow is generally: generating a device master key (TMK) by a hardware encryption module (HSM), dispersing the TMK into two components, and printing the TMK into a password envelope by a printer; two workers respectively hold a component, and a supervisor supervises the components to prevent the two workers holding the key from communicating. The staff who holds the key component inputs the corresponding component on the financial electronic equipment respectively, and the electronic equipment synthesizes and stores the corresponding component. Under the supervision of the supervision personnel, the staff who hold the key destroys the key component in time. The transmission mode of the master key has insufficient safety and low efficiency.
Disclosure of Invention
The embodiment of the invention provides a financial electronic equipment master key online distribution method and system, and solves the technical problems of insufficient safety and low efficiency of master key transmission between financial electronic equipment and a financial institution.
The embodiment of the invention provides an online distribution method of a master key of financial electronic equipment, which comprises the following steps:
the financial institution secret management system generates and stores a first public and private key pair: the first public key and the first private key are used for sending the first public key to a financial electronic equipment manufacturer system;
and the financial electronic equipment manufacturer system generates and stores a second public and private key pair: the second public key and the second private key are used for signing the first public key by utilizing the second private key to obtain first signature information, and the second public key and the first signature information are sent to a financial institution confidential management system;
the financial electronic equipment generates and stores a third public and private key pair: the third public key and the third private key are used for sending the third public key to a financial electronic equipment manufacturer system;
the financial electronic equipment manufacturer system signs the third public key by using the second private key to obtain second signature information, and sends the second public key and the second signature information to the financial electronic equipment;
the financial electronic equipment sends the third public key and the second signature information to a financial institution confidential management system;
the financial institution crypto-control system checks the signature of the second signature information by using the second public key, generates a master key after the signature check is passed, encrypts the master key by using the third public key to obtain a master key ciphertext, signs the master key ciphertext by using the first private key to obtain third signature information, and sends the third signature information, the master key ciphertext, the first public key, the first signature information and a first master key check value to the financial electronic equipment;
the financial electronic equipment checks the first signature information by using the second public key, checks the third signature information by using the first public key after the first signature information passes the check, decrypts the master key ciphertext by using the third private key after the check succeeds to obtain the master key, calculates a second master key check value according to the master key, compares the second master key check value with the first master key check value, and stores the master key if the second master key check value is consistent with the first master key check value.
The embodiment of the invention also provides an online distribution system of the main key of the financial electronic equipment, which comprises the following components:
the financial institution confidential management system, the financial electronic equipment manufacturer system and the financial electronic equipment;
the financial institution confidential management system is used for: and generating and storing a first public and private key pair: the first public key and the first private key are used for sending the first public key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: and generating and storing a second public and private key pair: the second public key and the second private key are used for signing the first public key by utilizing the second private key to obtain first signature information, and the second public key and the first signature information are sent to a financial institution confidential management system;
the financial electronic device is to: and generating and storing a third public and private key pair: the third public key and the third private key are used for sending the third public key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: signing the third public key by using the second private key to obtain second signature information, and sending the second public key and the second signature information to financial electronic equipment;
the financial electronic device is to: sending the third public key and the second signature information to a financial institution confidential management system;
the financial institution confidential management system is used for: the second public key checks the second signature information, a master key is generated after the second signature information passes the check, the master key is encrypted by using the third public key to obtain a master key ciphertext, the master key ciphertext is signed by using the first private key to obtain third signature information, and the third signature information, the master key ciphertext, the first public key, the first signature information and a first master key check value are sent to the financial electronic equipment;
the financial electronic device is to: and verifying the signature of the first signature information by using the second public key, verifying the signature of the third signature information by using the first public key after the signature verification is passed, decrypting the master key ciphertext by using the third private key after the signature verification is successful to obtain the master key, calculating to obtain a second master key check value according to the master key, comparing the second master key check value with the first master key check value, and if the second master key check value is consistent with the first master key check value, storing the master key.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the online distribution method of the master key of the financial electronic equipment.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the online distribution method of the financial electronic device master key.
The embodiment of the invention also provides an online distribution method of the main key of the financial electronic equipment, which comprises the following steps:
the financial institution confidential management system generates a symmetric key and sends the symmetric key to a financial electronic equipment manufacturer system;
the financial electronic equipment manufacturer system sends the symmetric key to the financial electronic equipment;
the financial electronic equipment generates a discrete factor and sends the discrete factor to a financial institution confidential management system;
the financial institution crypto-control system obtains a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, encrypts a master key by using the protection key to obtain an encrypted master key, and sends the encrypted master key to the financial electronic equipment;
the financial electronic equipment obtains a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, and uses the protection key to discretely decrypt the encrypted main key to obtain a main key plaintext.
The embodiment of the invention also provides an online distribution system of the main key of the financial electronic equipment, which comprises the following components:
the financial institution confidential management system, the financial electronic equipment manufacturer system and the financial electronic equipment;
the financial institution confidential management system is used for: generating a symmetric key, and sending the symmetric key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: sending the symmetric key to a financial electronic device;
the financial electronic device is to: generating a discrete factor, and sending the discrete factor to a financial institution confidential management system;
the financial institution confidential management system is used for: obtaining a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, encrypting a main key by using the protection key to obtain an encrypted main key, and sending the encrypted main key to the financial electronic equipment;
the financial electronic device is to: and obtaining a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, and performing discrete decryption on the encrypted main key by using the protection key to obtain a main key plaintext.
The embodiment of the invention also provides computer equipment, which comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, wherein the processor executes the computer program to realize the online distribution method of the master key of the financial electronic equipment.
The embodiment of the invention also provides a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the online distribution method of the financial electronic device master key.
In the embodiment of the invention, the public key identity of the electronic equipment, the public key identity of an electronic equipment manufacturer and the public key identity of a financial institution are introduced, the interactive process of a financial institution confidential management system, a financial electronic equipment manufacturer system and financial electronic equipment is provided, and the risk and performance problems of main key transmission between the financial electronic equipment and the financial institution are solved through an online bidirectional authentication mode.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a block diagram (a) of a structure and information interaction of a financial electronic device master key online distribution system according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for online distribution of a master key of a financial electronic device according to an embodiment of the present invention;
fig. 3 is a block diagram (ii) of the structure and information interaction of the online distribution system for the master key of the financial electronic device according to the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The use of asymmetric encryption algorithms in the present invention includes two ways:
the public key is encrypted, and the private key is decrypted. The invention requires the use of a hardware cryptographic module (HSM), neither of which private keys allows the output of the corresponding cryptographic module. After the public key is encrypted, only the corresponding hardware encryption module can decrypt the encrypted data, and the encrypted data cannot be decrypted by other modules. The encrypted transmission of the information is realized.
And secondly, adding the signature by the private key and checking the signature by the public key. The private key is used for signing, and all the related parties obtaining the corresponding public key can check the signature so as to confirm the source of the information.
Based on this, in an embodiment of the present invention, there is provided an online distribution system of a financial electronic device master key, as shown in fig. 1, the system including: the financial institution confidential management system, the financial electronic equipment manufacturer system (mainly speaking, the signature system) and the financial electronic equipment are in two-way interaction in information transfer. Specifically, an information interaction diagram of the three is shown in fig. 1, where the information of interaction includes:
PK _ Vnd: the manufacturer public key is generated by a manufacturer signature system;
SK _ Vnd: the manufacturer private key, a private key generated by a manufacturer signature system and PK _ Vnd form a public and private key pair;
PK _ Bank: the financial institution public key. A public key generated by a financial institution confidential management system;
SK _ Bank: a financial institution private key. A private key generated by a financial institution secret management system and PK _ Bank form a public and private key pair;
PK _ Epp: a public key generated by the financial electronic equipment;
SK _ Epp: a private key pair is formed by a private key generated by the financial electronic equipment and PK _ Epp;
sig (SK _ Vnd) [ PK _ Bank ]: the signature value of the manufacturer private key to the financial institution public key;
sig (SK _ Vnd) [ PK _ Epp ]: the signature value of the manufacturer private key to the equipment public key;
crypt (PK _ Epp) [ TMK ]: the financial electronic equipment public key is used for encrypting the financial electronic equipment master key;
sig (SK _ Bank) [ Crypt (PK _ Epp) [ TMK ] ]: the financial institution private key has a signature value for Crypt (PK _ Epp) [ MK ].
Specifically, a specific method flow of the online master key distribution system of the financial electronic device is shown in fig. 2, where the method includes:
(1) the financial electronic equipment manufacturer exchanges information with a financial institution:
step 201: the financial institution secret management system generates and stores a first public and private key pair: the system comprises a first public key PK _ Bank and a first private key SK _ Bank, and is characterized in that the private key is ensured not to output a hardware encryption module, and then the first public key PK _ Bank is sent to a financial electronic equipment manufacturer system;
step 202: and the financial electronic equipment manufacturer system randomly generates and stores a second public and private key pair through the hardware encryption module: the second public key PK _ Vnd and the second private key SK _ Vnd sign the first public key PK _ Bank by using the second private key SK _ Vnd to obtain first signature information Sig (SK _ Vnd) [ PK _ Bank ], and the second public key PK _ Vnd and the first signature information Sig (SK _ Vnd) [ PK _ Bank ] are sent to a financial institution confidential control system to be stored;
(2) the financial electronic equipment exchanges information with a financial electronic equipment manufacturer:
step 203: the financial electronic equipment randomly generates and stores a third public and private key pair by using a security chip in the equipment: the system comprises a third public key PK _ Epp and a third private key SK _ Epp, wherein the private keys ensure that a security chip of the electronic equipment cannot be output, and the third public key PK _ Epp is sent to a financial electronic equipment manufacturer system;
step 204: the financial electronic equipment manufacturer system signs the third public key PK _ Epp by using the second private key SK _ Vnd to obtain second signature information Sig (SK _ Vnd) [ PK _ Epp ], and sends the second public key PK _ Vnd and the second signature information Sig (SK _ Vnd) [ PK _ Epp ] to the financial electronic equipment for storage;
(3) issuing a master key of the financial electronic equipment:
step 205: after the financial electronic equipment accesses to a network of a financial institution, the third public key PK _ Epp and the second signature information Sig (SK _ Vnd) [ PK _ Epp ] are sent to a financial institution confidential management system;
step 206: the financial institution crypto-management system finds and verifies the second signature information Sig (SK _ Vnd) [ PK _ Epp ] in the data by using the second public key PK _ Vnd, the verification generates a master key TMK randomly after passing, generating a first master key check value checkValue, encrypting the master key TMK by using the third public key PK _ Epp to obtain a master key ciphertext (PK _ Epp) [ TMK ], signing the master key ciphertext (PK _ Epp) [ TMK ] by using the first private key SK _ Bank to obtain third signature information Sig (SK _ Bank) [ Crypt (PK _ Epp) [ MK ] ], and sending the third signature information Sig (SK _ Bank) [ Crypt (PK _ Epp) [ MK ] ], the master key ciphertext (SK _ Epp) [ TMK ], the first public key PK _ Bank, the first signature information Sig (SK _ Vnd) [ PK _ Bank ], and the first master key check value checkValue to the financial electronic device;
step 207: the financial electronic device checks the signature of the first signature information Sig (SK _ Vnd) [ PK _ Bank ] by using the second public key PK _ Vnd, checks the signature of the third signature information Sig (SK _ Bank) [ Crypt (PK _ Epp) [ MK ] ] by using the first public key PK _ Bank after the signature check is passed, decrypts the main key ciphertext Crypt (PK _ Epp) [ TMK ] by using the third private key SK _ Epp after the signature check is successful to obtain the main key TMK, calculates a second main key check value according to the main key, compares the second main key check value with the first main key check value, and stores the main key TMK if the second main key check value is consistent with the first main key check value.
For example, when the financial electronic device includes a plurality of devices, the method is implemented as follows:
after a certain bank purchases a batch of intelligent POS machines from a financial electronic equipment manufacturer, after a contract is signed, the bank generates a pair of public and private keys through a hardware encryption module of a key management system of the bank, and exports a clear text of the public key to business personnel. After the business personnel obtain the bank public key, the public key and the serial number of the POS machine manufacturer are provided for the intelligent POS machine manufacturer in a mail mode. The intelligent POS machine manufacturer uses a hardware encryption module in a private custody management system of the manufacturer to also generate a pair of public and private keys, calls an encryption machine instruction, uses the private key to sign a public key in a bank mail, and writes a signature value and the public key generated by the private custody management system into the mail to reply to a bank. After receiving the mail, the bank writes the own public key signature value, the POS machine manufacturer public key and the manufacturer number into the own secret management system database. After a POS machine manufacturer produces one POS machine, the POS machine manufacturer calls a security chip in the POS machine to generate a public and private key and calls a security chip instruction to export an internal public key. And the POS machine manufacturer also signs the POS machine public key by using the own private key, and writes the signature value, the manufacturer public key and the manufacturer number back to the POS machine. After the POS machine is delivered to a bank and is connected into a bank network, the built-in POS machine public key, the POS machine manufacturer number and the signature value of the POS machine public key by the POS machine manufacturer private key are automatically sent to the bank secure management system. The bank close management system retrieves the factory public key through the manufacturer number, checks the signature value of the POS machine public key, and completes the one-way authentication of the bank to the POS machine after the signature passes the check. And then the bank secret management system encrypts a randomly generated POS machine master key by using a trusted POS machine public key, then adds a signature, and returns the encrypted master key, the signature of the encrypted value, the own public key of the bank and the signature of the POS machine manufacturer on the bank public key to the POS machine. The POS machine uses the security chip and a built-in POS machine manufacturer public key to check and sign the bank public key, and the one-way authentication of the POS machine to the bank secure management system is achieved after the check and sign pass. After the identity of the public key of the bank is trusted, the bank public key is used for verifying the main key encrypted by the public key of the POS machine, the private key is decrypted after the signature verification is passed, and finally the plaintext of the main key of the equipment is obtained.
The invention also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the online distribution method of the master key of the financial electronic device.
Based on the method, the invention also provides a computer readable storage medium, which stores a computer program for executing the online distribution method of the financial electronic device master key.
The system and the method provided by the invention achieve the method of online interaction of the master key by a method of embedding the third party signature and the public key in the close management systems of the POS machine and the financial institution. In the case of low security requirement or controllable usage scenario of the financial device, the online distribution system of the financial electronic device master key can also interact as follows.
As shown in fig. 3, the system further includes a financial institution crypto system, a financial electronic device manufacturer system (mainly, a signature system), and a financial electronic device, and in this case, the information transmission between the financial institution crypto system and the financial electronic device is not bidirectional, but the financial institution crypto system and the financial electronic device manufacturer system, and the financial electronic device are unidirectional.
Specifically, the interaction information of the three includes:
BaseKey: a symmetric key, randomly initialized by a financial institution;
SecurityCode: a dispersion factor randomly generated by the financial electronic device;
discrete key algorithm: a discrete key algorithm combining BaseKey and discrete factor (SecurityCode) appointed by financial institutions and financial electronic manufacturers, and the discrete algorithm is built in financial electronic equipment (namely POS machine).
Specifically, the specific method flow of the online master key distribution system of the financial electronic device is as follows:
the financial institution randomly initializes a pair of symmetric keys (BaseKey) and delivers the BaseKey to the financial electronic equipment manufacturer to be written into the financial electronic equipment. The financial institution and the financial electronic manufacturer agree a discrete key algorithm combining BaseKey and a discrete factor (SecurityCode), and POS machines ordered from the financial electronic equipment manufacturer are all internally provided with the discrete algorithm.
After the POS machine is accessed to a crypto-pipe network of a financial institution, a secure code is randomly generated and sent to a crypto-pipe system of the financial institution, the financial institution generates a master key by using a BaseKey, the secure code and a discrete key algorithm agreed with a manufacturer, and sends a randomly generated work key to the financial electronic equipment by using the master key to encrypt.
After the financial electronic equipment takes the encrypted working key, the same BaseKey, SecurityCode and the agreed discrete key algorithm are used for recovering the master key (the same master key is generated by using the same method), and then the working key is decrypted and stored in the equipment.
Due to the lack of a mutual authentication process between the financial electronic device and the financial institution secure management system, there is a risk that one of the two parties will be counterfeited to control and destroy the other party. And is therefore only suitable for use in relatively controllable scenarios.
The invention also provides a computer device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the computer program to realize the online distribution method of the master key of the financial electronic device.
Based on the method, the invention also provides a computer readable storage medium, which stores a computer program for executing the online distribution method of the financial electronic device master key.
In summary, the online distribution method and system for the master key of the financial electronic device provided by the invention for online distribution of the electronic key can obtain the following beneficial effects:
the interactive process of the financial electronic equipment, the financial electronic equipment manufacturer and the financial institution is designed, and the financial electronic equipment manufacturer is used as an intermediary to achieve bidirectional authentication between the financial electronic equipment and the financial institution. Related public and private key information and signatures are built in before the financial electronic equipment leaves a factory, so that maintenance resources of a financial institution in the use process of the equipment are greatly reduced, and a large amount of manpower is saved. And no plaintext exists in the transmission process of the master key, so that the risk of master key leakage is greatly reduced. Moreover, online master key distribution is not sensible to users of financial electronic devices (such as merchants using POS machines), and brings better use experience to customers.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes may be made to the embodiment of the present invention by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. An online distribution method for a master key of a financial electronic device, comprising:
the financial institution secret management system generates and stores a first public and private key pair: the first public key and the first private key are used for sending the first public key to a financial electronic equipment manufacturer system;
and the financial electronic equipment manufacturer system generates and stores a second public and private key pair: the second public key and the second private key are used for signing the first public key by utilizing the second private key to obtain first signature information, and the second public key and the first signature information are sent to a financial institution confidential management system;
the financial electronic equipment generates and stores a third public and private key pair: the third public key and the third private key are used for sending the third public key to a financial electronic equipment manufacturer system;
the financial electronic equipment manufacturer system signs the third public key by using the second private key to obtain second signature information, and sends the second public key and the second signature information to the financial electronic equipment;
the financial electronic equipment sends the third public key and the second signature information to a financial institution confidential management system;
the financial institution crypto-control system checks the signature of the second signature information by using the second public key, generates a master key after the signature check is passed, encrypts the master key by using the third public key to obtain a master key ciphertext, signs the master key ciphertext by using the first private key to obtain third signature information, and sends the third signature information, the master key ciphertext, the first public key, the first signature information and a first master key check value to the financial electronic equipment;
the financial electronic equipment checks the first signature information by using the second public key, checks the third signature information by using the first public key after the first signature information passes the check, decrypts the master key ciphertext by using the third private key after the check succeeds to obtain the master key, calculates a second master key check value according to the master key, compares the second master key check value with the first master key check value, and stores the master key if the second master key check value is consistent with the first master key check value.
2. The financial electronic device master key online distribution method according to claim 1, wherein the financial electronic device includes a plurality of, each electronic financial device including a vendor number;
further comprising:
the financial institution confidential management system sends the manufacturer number to a financial electronic equipment manufacturer system;
the financial electronic equipment manufacturer system sends the manufacturer number to the financial electronic equipment;
the financial electronic equipment sends the manufacturer number to a financial institution confidential management system;
and the financial institution confidential management system finds the second public key from the stored public keys according to the manufacturer number.
3. An online distribution system for a master key of a financial electronic device, comprising: the financial institution confidential management system, the financial electronic equipment manufacturer system and the financial electronic equipment;
the financial institution confidential management system is used for: and generating and storing a first public and private key pair: the first public key and the first private key are used for sending the first public key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: and generating and storing a second public and private key pair: the second public key and the second private key are used for signing the first public key by utilizing the second private key to obtain first signature information, and the second public key and the first signature information are sent to a financial institution confidential management system;
the financial electronic device is to: and generating and storing a third public and private key pair: the third public key and the third private key are used for sending the third public key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: signing the third public key by using the second private key to obtain second signature information, and sending the second public key and the second signature information to financial electronic equipment;
the financial electronic device is to: sending the third public key and the second signature information to a financial institution confidential management system;
the financial institution confidential management system is used for: the second public key checks the second signature information, a master key is generated after the second signature information passes the check, the master key is encrypted by using the third public key to obtain a master key ciphertext, the master key ciphertext is signed by using the first private key to obtain third signature information, and the third signature information, the master key ciphertext, the first public key, the first signature information and a first master key check value are sent to the financial electronic equipment;
the financial electronic device is to: and verifying the signature of the first signature information by using the second public key, verifying the signature of the third signature information by using the first public key after the signature verification is passed, decrypting the master key ciphertext by using the third private key after the signature verification is successful to obtain the master key, calculating to obtain a second master key check value according to the master key, comparing the second master key check value with the first master key check value, and storing the master key if the second master key check value is consistent with the first master key check value.
4. The financial electronic device master key online distribution system of claim 3, wherein the financial electronic device includes a plurality, each electronic financial device including a vendor number;
the financial institution confidential management system is also used for: sending the manufacturer number to a financial electronic equipment manufacturer system;
the financial electronic device vendor system is further operable to: sending the manufacturer number to a financial electronic device;
the financial electronic device is further to: sending the manufacturer number to a financial institution confidential management system;
the financial institution confidential management system is also used for: and finding the second public key from the stored public keys according to the manufacturer number.
5. An online distribution method for a master key of a financial electronic device, comprising:
the financial institution confidential management system generates a symmetric key and sends the symmetric key to a financial electronic equipment manufacturer system;
the financial electronic equipment manufacturer system sends the symmetric key to the financial electronic equipment;
the financial electronic equipment generates a discrete factor and sends the discrete factor to a financial institution confidential management system;
the financial institution crypto-control system obtains a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, encrypts a master key by using the protection key to obtain an encrypted master key, and sends the encrypted master key to the financial electronic equipment;
the financial electronic equipment obtains a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, and uses the protection key to discretely decrypt the encrypted main key to obtain a main key plaintext.
6. An online distribution system for a master key of a financial electronic device, comprising: the financial institution confidential management system, the financial electronic equipment manufacturer system and the financial electronic equipment;
the financial institution confidential management system is used for: generating a symmetric key, and sending the symmetric key to a financial electronic equipment manufacturer system;
the financial electronic device manufacturer system is used for: sending the symmetric key to a financial electronic device;
the financial electronic device is to: generating a discrete factor, and sending the discrete factor to a financial institution confidential management system;
the financial institution confidential management system is used for: obtaining a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, encrypting a main key by using the protection key to obtain an encrypted main key, and sending the encrypted main key to the financial electronic equipment;
the financial electronic device is to: and obtaining a protection key according to the symmetric key, the discrete factor and a preset discrete key algorithm, and performing discrete decryption on the encrypted main key by using the protection key to obtain a main key plaintext.
7. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for online distribution of master keys of financial electronic devices according to any one of claims 1 to 2 when executing the computer program.
8. A computer-readable storage medium storing a computer program for executing the method for online distribution of a master key of a financial electronic device according to any one of claims 1 to 2.
9. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method for online distribution of master keys of a financial electronic device as claimed in claim 5 when executing the computer program.
10. A computer-readable storage medium storing a computer program for executing the financial electronic device master key online distribution method according to claim 5.
CN201811364197.1A 2018-11-16 2018-11-16 Online distribution method and system for master key of financial electronic equipment Active CN109547208B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811364197.1A CN109547208B (en) 2018-11-16 2018-11-16 Online distribution method and system for master key of financial electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811364197.1A CN109547208B (en) 2018-11-16 2018-11-16 Online distribution method and system for master key of financial electronic equipment

Publications (2)

Publication Number Publication Date
CN109547208A CN109547208A (en) 2019-03-29
CN109547208B true CN109547208B (en) 2021-11-09

Family

ID=65848288

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811364197.1A Active CN109547208B (en) 2018-11-16 2018-11-16 Online distribution method and system for master key of financial electronic equipment

Country Status (1)

Country Link
CN (1) CN109547208B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110545542B (en) * 2019-06-13 2023-03-14 银联商务股份有限公司 Main control key downloading method and device based on asymmetric encryption algorithm and computer equipment
CN112532567A (en) * 2019-09-19 2021-03-19 中国移动通信集团湖南有限公司 Transaction encryption method and POSP system
CN110930147B (en) * 2019-11-01 2021-12-03 北京三快在线科技有限公司 Offline payment method and device, electronic equipment and computer-readable storage medium
CN111275440B (en) * 2020-01-19 2023-11-10 中钞科堡现金处理技术(北京)有限公司 Remote key downloading method and system
CN112446782A (en) * 2020-11-26 2021-03-05 中电金融设备系统(深圳)有限公司 Method for downloading initial key, computer equipment and storage medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101286840B (en) * 2008-05-29 2014-07-30 西安西电捷通无线网络通信股份有限公司 Key distributing method and system using public key cryptographic technique
CN103714633B (en) * 2013-03-15 2016-05-04 福建联迪商用设备有限公司 A kind of method of safe generating transmission key and POS terminal
CN107800538B (en) * 2016-09-01 2021-01-29 中电长城(长沙)信息技术有限公司 Remote key distribution method for self-service equipment
CN106357679B (en) * 2016-10-24 2019-09-13 北京明华联盟科技有限公司 Method, system and the client of cipher authentication, server and smart machine
WO2018112482A1 (en) * 2016-12-15 2018-06-21 Alibaba Group Holding Limited Method and system for distributing attestation key and certificate in trusted computing
CN107733648B (en) * 2017-10-30 2020-08-07 武汉大学 Identity-based RSA digital signature generation method and system
CN108513704B (en) * 2018-04-17 2021-01-19 福建联迪商用设备有限公司 Remote distribution method and system of terminal master key

Also Published As

Publication number Publication date
CN109547208A (en) 2019-03-29

Similar Documents

Publication Publication Date Title
CN109547208B (en) Online distribution method and system for master key of financial electronic equipment
US10595201B2 (en) Secure short message service (SMS) communications
CN108683688B (en) Method for realizing information transmission safety based on digital envelope technology
CN103701812B (en) TMK (Terminal Master Key) secure downloading method and system
US9806889B2 (en) Key downloading method, management method, downloading management method, device and system
US9647845B2 (en) Key downloading method, management method, downloading management method, device and system
US9948624B2 (en) Key downloading method, management method, downloading management method, device and system
CN103716168B (en) Secret key management method and system
CN109379387B (en) Safety certification and data communication system between Internet of things equipment
CN101771699A (en) Method and system for improving SaaS application security
CN1921395B (en) Method for improving security of network software
CN101483654A (en) Method and system for implementing authentication and data safe transmission
WO2015158172A1 (en) User identity identification card
CN110138548B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and DH protocol
TWI476629B (en) Data security and security systems and methods
BE1024812A1 (en) A SECURITY APPROACH FOR THE STORAGE OF CREDENTIALS FOR OFFLINE USE AND AGAINST COPY PROTECTED CLEAN CONTENT IN DEVICES
CN110098925B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and random number
CN105991276A (en) Key transmission system, method and apparatus for integrated circuit card
CN110113152B (en) Quantum communication service station key negotiation method and system based on asymmetric key pool pair and digital signature
CN110138547A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station cryptographic key negotiation method and system
CN109981612A (en) Prevent the method and system and password machine equipment of password machine equipment bootlegging
CN109768856A (en) It is a kind of for encrypting the portable security device of moneytary operations

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant